News: Allstate Illinois Data Center Achieves LEED Gold Certification
Blogs: M&M’s --- Part I - This stands for Marketing and Money
Blogs: Sometimes not making money is ok....
By David Hamilton, theWHIR.com
October 27, 2008 -- (WEB HOST INDUSTRY REVIEW) -- Amidst cutting more than 1,500 jobs and seeing its third quarter net income tumbling down 64 percent from last year's, Yahoo (www.yahoo.com) is now facing a website vulnerability being used to steal Yahoo users' identities.
Web analytics firm Netcraft (www.netcraft.com) has announced that its Netcraft toolbar community has found a flaw on a Yahoo website that is being exploited to steal Yahoo users' authentication cookies, which can be used to gain access to Yahoo accounts, such as Yahoo Mail.
UPDATE: In an email message to theWHIR Monday, Yahoo's HotJobs division stated the cross-site scripting vulnerability was quickly fixed. "The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, October 26) and a fix was deployed within a matter of hours," read the statement. "Yahoo appreciates Netcraft's assistance in identifying this issue."
According to a Sunday post from Netcraft, "The attack exploits a cross-site scripting vulnerability on Yahoo's HotJobs site at hotjobs.yahoo.com, which currently allows the attacker to inject obfuscated JavaScript into the affected page," wrote Netcraft's Paul Mutton. "The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details."
Cross-site scripting vulnerabilities can allow authenticated session data to be remotely accessed via cookie-stealing scripts, letting the attacker to use the same cookie values to hijack their victim's session without needing to log in. Netcraft advises administrators that this security flaw can usually be addressed by using HttpOnly cookies so scripts cannot gain access to cookies.
Netcraft noted that this is not the first time a Yahoo website has shown vulnerabilities, having caught malign users with their hands in the cookie jar before. They reported that attackers exploited a cross-site scripting vulnerability earlier in the year on its ychat.help.yahoo.com site, injecting malicious JavaScript code into one of the site's webpages.
As with the HotJobs vulnerability and the current one, Netcraft said simply visiting the infected pages on yahoo.com can be enough for a victim to fall prey to a phishing attack. Netcraft has implemented protection for Netcraft Toolbar users from these attacks, which warns users of the Yahoo URLs containing cross-site scripting elements.
Read Back Issues of WHIR Magazine
October 2009 - Web Hosting's All Star Team
This has been, for us, one of the most interesting, exciting and challenging build-ups to an issue of the magazine yet, Web Hosting's All Star Team. The balloting process was our first experiment with a kind of user participation we're planning to do a lot more with in the months to come. We had thousands of ballots submitted, with hundreds of write-in suggestions and a demonstration of user engagement that has us feeling super positive about the project.
About This Issue | Read Digital Edition
July 2009 - What am I Worth?
One of the interesting luxuries of working on a project like the printed WHIR magazine is that it allows us to play with things like our point of view from one issue to the next. In recent months we've been giving added attention to the kind of practical and applicable advice aimed at smaller hosts and resellers. This issue carries on with that point of view, asking, in our cover story, "what am I worth?" It's a complicated question without a clear-cut answer.
About This Issue | Read Digital Edition
May 2009 - The Blueprint for a Small Web Host
I was a little surprised by how difficult it became to see this idea through. We set out to assemble a blueprint for a small hosting business, but butted up pretty quickly against the general impossibility of covering all the territory that was out there to be covered. The basic constraints of a printed magazine, and the less-than-infinite amount of time we had available forced us to face the fact that we could never produce an exhaustive guide to starting a hosting company.
About This Issue | Read Digital Edition
Comment anonymously or log into your WHIR account
Logging in allows enhanced commenting features (such as external linking) in news, features, blogs and more.